[Dshield] Password protected Bagle.F

John Hardin johnh at aproposretail.com
Mon Mar 1 21:35:23 GMT 2004


On Mon, 2004-03-01 at 12:32, Jon R. Kibler wrote:
> John Hardin wrote:
> > 
> > On Mon, 2004-03-01 at 09:53, Jon R. Kibler wrote:
> > > According to a thread on the ClamAV users lists, Bagle.F is now
> > > spreading via password protected zip file. The text body of the
> > > email contains the password.
> > 
> > Fortunately password-protecting a ZIP file does NOT encrypt the
> > zipfile's index - you can still see (and scan for) the archived
> > filenames without having the password. 
> 
> Which doesn't help if the file name is random.

Why would I want to accept a zipped executable file attachment from some
random user on the Internet at large, whatever it may be named? In the
majority of cases such messages can be automatically quarantined or
discarded outright.

A proactive policy-enforcement security tool that rejects zipped
executables from unexpected sources is not hampered by
password-protecting the ZIP file attachment.

A reactive antivirus security tool that attempts to extract the files
from the ZIP so that they can be scanned for known evil signatures will
be hampered by a password protected ZIP file attachment.

The big problem I see is the seemingly monomaniacal focus on signatures,
and the attendant vulnerability windows. "I don't know what the name of
the ZIP file attachment is going to be, so I can't defend against it!"
"Symantec (or whoever) doesn't recognize this worm yet, so I can't
defend against it!" What do I care *which* worm or virus it is? If
you're not on the list of people I want to receive (zipped) executable
attachments from, you aren't going to be able to send me (zipped)
executable attachments. If for some reason I want to be able to receive
(zipped) executable attachments from the world at large, I will set up a
special account that accepts them, and only that account will accept
them, and messages in that account will get special scrutiny.

--
John Hardin  KA7OHZ                           
Internal Systems Administrator/Guru               voice: (425) 672-1304
Apropos Retail Management Systems, Inc.             fax: (425) 672-0192
-----------------------------------------------------------------------
  Failure to plan ahead on someone else's part does not constitute an
  emergency on my part.
                                  - David W. Barts in a.s.r
-----------------------------------------------------------------------
 Today: ICQ Corp goes away - have you installed Jabber yet?




More information about the list mailing list